SMTP sessions between Hub Transport servers for encryption only by using public keys

For communication between Hub Transport servers, anonymous TLS and the public keys from certificates are used to encrypt the session. But the next authentication is Kerberos authentication. When an SMTP session is established, the receiving server initiates a certificate selection process to determine which certificate to use in the TLS negotiation. The sending server also performs a certificate selection process. For more information about that process, see Selection of Outbound Anonymous TLS Certificates.

This topic describes the selection process for inbound anonymous TLS certificates. All the steps are performed on the receiving server. The following figure shows the steps of this process.

Selection of an inbound anonymous TLS certificate

When the SMTP session is established, Microsoft Exchange calls a process to load the certificates.

In the load certificate function, the Receive connector to which the session is connected is checked to see whether the AuthMechanism property is set to a value of ExchangeServer. You can set the AuthMechanism property on the Receive connector by using the Set-ReceiveConnector cmdlet. You can also set the AuthMechanism property to ExchangeServer by selecting Exchange Server authentication on the Authentication tab of a given Receive connector.

If ExchangeServer is not enabled as an authentication mechanism, the server does not advertise X-ANONYMOUSTLS to the sending server in the SMTP session and no certificate is loaded. If ExchangeServer is enabled as an authentication mechanism, the certificate selection process continues to the next step.

Microsoft Exchange queries the Active Directory directory service to retrieve the thumbprint of the certificate on the server. The msExchServerInternalTLSCert attribute on the server object stores the certificate thumbprint.

If the msExchServerInternalTLSCert attribute cannot be read or if the value is null, Microsoft Exchange does not advertise X-ANONYMOUSTLS and no certificate is loaded.

Note:

If the msExchServerInternalTLSCert attribute cannot be read or if the value is null during startup of the Microsoft Exchange Transport service, instead of during the SMTP session, Event ID 12012 is logged in the Application log.

If a thumbprint is found, the certificate selection process searches the local computer certificate store for a certificate that matches the thumbprint. If the certificate is not found, the server does not advertise X-ANONYMOUSTLS, no certificate is loaded, and Event ID 12013 is logged in the Application log.

After a certificate is loaded from the certificate store, it is checked to see whether it has expired. The Valid to field on the certificate is compared to the current date and time. If the certificate has expired, Event ID 12015 is logged in the Application log. But the certificate selection process does not fail and continues with the remaining checks.

The certificate is checked to see whether it is the latest in the local computer’s certificate store. As part of this check, a domain list is built for potential certificate domains. The domain list is based on the following computer configuration:

Fully qualified domain name (FQDN), such as mail.contoso.com

Host name, such as EdgeServer01

Physical FQDN, such as EdgeServer01.contoso.com

Physical host name, such as EdgeServer01

Note:

If the server is configured as a cluster or for a computer that is running Microsoft Windows Load Balancing, the following registry key is checked instead of the DnsFullyQualifiedDomainName setting: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WLBS\Parameters\Interface\{GUID}\ClusterName

After the domain list is built, the certificate selection process checks to find all certificates in the certificate store that have a matching FQDN. From this list, the certificate selection process identifies a list of eligible certificates. Eligible certificates must meet the following criteria:

The certificate is an X.509 version 3 or a later version certificate.

The certificate has an associated private key.

The Subject or Subject Alternate Name fields contain the FQDN that was retrieved in step 6.

The certificate is enabled for Secure Sockets Layer (SSL)/TLS use. Specifically, the SMTP service has been enabled for this certificate by using the Enable-ExchangeCertificate cmdlet.

From the eligible certificates, the best certificate is selected based on the following sequence:

Sort eligible certificates by most recent Valid from date. Valid from is a Version 1 field on the certificate.

The first valid public key infrastructure (PKI) certificate that is found in this list is used.

If no valid PKI certificates are found, the first self-signed certificate is used.

After the best certificate has been determined, another check is made to determine whether its thumbprint matches the certificate that is stored in msExchServerInternalTLSCert attribute. If the certificate matches, the certificate is used for X-AnonymousTLS. If it does not match, Event ID 1037 is logged in the Application log. However, this does not cause X-AnonymousTLS to fail.